The Department of Health and Human Services (HHS) is struggling to keep up with the overflowing caseload in their Office of Civil Rights. The hackers stealing medical information in the United States are causing millions of dollars of loss to hospitals, insurers and other health organizations. According to Politico, health data breaches have impacted 113 million people since 2020. The HHS is supposed to enforce the federal privacy law, HIPPA, but it is overwhelmed with the amount of claims.
“The Department of Health and Human Services’ Office for Civil Rights, which is tasked with investigating breaches, helping health care organizations bolster their defenses, and fining them for lax security, is poorly positioned to help. That’s because it has a dual mission — both to enforce the federal health privacy law known as HIPAA and to help the organizations protect themselves — and Congress has given it few resources to do the job.
“They’re a fish out of water … They were given the role of enforcement under HIPAA but weren’t given the resources to support that role,” said Mac McMillan, CEO of CynergisTek, a Texas firm that helps health care organizations improve their cybersecurity.
Due to its shoestring budget, the Office for Civil Rights has fewer investigators than many local police departments, and its investigators have to deal with more than a hundred cases at a time. The office had a budget of $38 million in 2022 — the cost of about 20 MRI machines that can cost $1 million to $3 million a pop.
The scope of the threat is massive and the consequences of breaches severe. According to a 2021 survey by the Healthcare Information and Management Systems Society, more than two-thirds of health care organizations had a “significant” incident in the previous year — mostly phishing or ransomware attacks.
These episodes pose potentially significant financial consequences and can threaten patients’ lives. A recent report from cybersecurity company Cynerio and the Ponemon Institute, a cybersecurity research center, found that about 1 in 4 cyberattacks resulted in increased mortality by delaying care.
Experts said the health care sector is particularly vulnerable to attacks, partly due to its digital transformation and partly due to its vulnerability to ransomware. Disrupting care could endanger patients’ lives, which can leave health care organizations feeling forced to fork over ransoms. In 2021 alone, hackers accessed records of nearly 50 million people, raising privacy concerns and leaving many vulnerable to fraud.”
Read more at Politico.
With a dearth of resources, the HHS is buckling under the pressure of the overwhelming claims. Mortality rates in the United States have heightened due to the hackers stealing personal medical information. The hospitals, insurers and other companies have taken the hit with a high price tag. HIPPA is being threatened. HHS Secretary, Xavier Becerra and cybersecurity co-chairs have been examining this problem and have questioned the government’s “lack of robust and timely sharing of actionable threat information with industry partners.”